LVS
lvs-devel
Google
 
Web LinuxVirtualServer.org

[PATCH AUTOSEL 4.4 05/26] ipvs: Fix signed integer overflow when setsock

To: linux-kernel@xxxxxxxxxxxxxxx, stable@xxxxxxxxxxxxxxx
Subject: [PATCH AUTOSEL 4.4 05/26] ipvs: Fix signed integer overflow when setsockopt timeout
Cc: ZhangXiaoxu <zhangxiaoxu5@xxxxxxxxxx>, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>, Sasha Levin <sashal@xxxxxxxxxx>, netdev@xxxxxxxxxxxxxxx, lvs-devel@xxxxxxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxx, coreteam@xxxxxxxxxxxxx
From: Sasha Levin <sashal@xxxxxxxxxx>
Date: Sat, 23 Feb 2019 16:10:26 -0500
From: ZhangXiaoxu <zhangxiaoxu5@xxxxxxxxxx>

[ Upstream commit 53ab60baa1ac4f20b080a22c13b77b6373922fd7 ]

There is a UBSAN bug report as below:
UBSAN: Undefined behaviour in net/netfilter/ipvs/ip_vs_ctl.c:2227:21
signed integer overflow:
-2147483647 * 1000 cannot be represented in type 'int'

Reproduce program:
        #include <stdio.h>
        #include <sys/types.h>
        #include <sys/socket.h>

        #define IPPROTO_IP 0
        #define IPPROTO_RAW 255

        #define IP_VS_BASE_CTL          (64+1024+64)
        #define IP_VS_SO_SET_TIMEOUT    (IP_VS_BASE_CTL+10)

        /* The argument to IP_VS_SO_GET_TIMEOUT */
        struct ipvs_timeout_t {
                int tcp_timeout;
                int tcp_fin_timeout;
                int udp_timeout;
        };

        int main() {
                int ret = -1;
                int sockfd = -1;
                struct ipvs_timeout_t to;

                sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
                if (sockfd == -1) {
                        printf("socket init error\n");
                        return -1;
                }

                to.tcp_timeout = -2147483647;
                to.tcp_fin_timeout = -2147483647;
                to.udp_timeout = -2147483647;

                ret = setsockopt(sockfd,
                                 IPPROTO_IP,
                                 IP_VS_SO_SET_TIMEOUT,
                                 (char *)(&to),
                                 sizeof(to));

                printf("setsockopt return %d\n", ret);
                return ret;
        }

Return -EINVAL if the timeout value is negative or max than 'INT_MAX / HZ'.

Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@xxxxxxxxxx>
Acked-by: Simon Horman <horms@xxxxxxxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
 net/netfilter/ipvs/ip_vs_ctl.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 3167ec76903a2..56c62b65923f1 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2217,6 +2217,18 @@ static int ip_vs_set_timeout(struct netns_ipvs *ipvs, 
struct ip_vs_timeout_user
                  u->tcp_fin_timeout,
                  u->udp_timeout);
 
+#ifdef CONFIG_IP_VS_PROTO_TCP
+       if (u->tcp_timeout < 0 || u->tcp_timeout > (INT_MAX / HZ) ||
+           u->tcp_fin_timeout < 0 || u->tcp_fin_timeout > (INT_MAX / HZ)) {
+               return -EINVAL;
+       }
+#endif
+
+#ifdef CONFIG_IP_VS_PROTO_UDP
+       if (u->udp_timeout < 0 || u->udp_timeout > (INT_MAX / HZ))
+               return -EINVAL;
+#endif
+
 #ifdef CONFIG_IP_VS_PROTO_TCP
        if (u->tcp_timeout) {
                pd = ip_vs_proto_data_get(ipvs, IPPROTO_TCP);
-- 
2.19.1


<Prev in Thread] Current Thread [Next in Thread>
  • [PATCH AUTOSEL 4.4 05/26] ipvs: Fix signed integer overflow when setsockopt timeout, Sasha Levin <=